More recently, at the beginning of summer, there were massive calls to update Exim to version 4.92 due to the CVE-2019-10149 vulnerability (). And recently it turned out that the Sustes malware decided to take advantage of this vulnerability.
Now all those who urgently updated can “rejoice” again: on July 21, 2019, Zerons researcher discovered a critical vulnerability in Exim Mail Transfer agent (MTA) when using TLS for versions from 4.80 to 4.92.1 inclusive, allowing remote execute code with privileged rights ().
Vulnerability
The vulnerability is present when using both GnuTLS and OpenSSL libraries when establishing a secure TLS connection.
According to developer Heiko Schlittermann, the configuration file in Exim does not use TLS by default, but many distributions generate the necessary certificates during installation and include a secure connection. Also newer versions of Exim set the option tls_advertise_hosts=* and generate the necessary certificates.
depends on the configuration. Most distros enable it by default, but Exim needs a certificate+key to work as a TLS server. Probably Distros create a Cert during setup. Newer Exims have the tls_advertise_hosts option defaulting to "*" and create a self signed certificate, if none is provided.
The vulnerability itself lies in the incorrect processing of SNI (Server Name Indication, a technology introduced in 2003 in RFC 3546 for a client to request a correct certificate for a domain name, ) during the TLS handshake. An attacker only needs to send an SNI ending in a backslash ("") and a null character ("").
Researchers from Qualys have discovered a bug in the string_printing(tls_in.sni) function, which consists in incorrectly escaping "". The result is that the backslash is written unescaped to the print spool header file. This file is then read with privileged rights by the spool_read_header() function, which leads to a heap overflow.
It is worth noting that at the moment, Exim developers have created PoC vulnerabilities with command execution on a remote vulnerable server, but it is not yet publicly available. Due to the ease of exploitation of the bug, this is just a matter of time, and a rather short one at that.
A more detailed study by Qualys can be found .
Using SNI in TLS
Number of potentially vulnerable public servers
According to the statistics of a major hosting provider E Soft Inc. as of September 1, on rented servers, version 4.92 is used in more than 70% of hosts.
Version
Number of Servers
Percent
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
other versions
25568
5.04%
E-Soft Inc company statistics
If you go to a search engine , then out of 5,250,000 in the server base:
- about 3,500,000 use Exim 4.92 (about 1,380,000 using SSL/TLS);
- over 74,000 use 4.92.1 (about 25,000 using SSL/TLS).
Thus, the publicly known and available Exim potentially vulnerable servers are on the order 1.5 млн.
Finding Exim Servers in Shodan
DEF
- The easiest, but not recommended, option is not to use TLS, which will result in forwarding mail messages in the clear.
- To avoid exploitation of the vulnerability, it is preferable to upgrade to version .
- If it is not possible to update or install a patched version, you can set an ACL in the Exim configuration for the option acl_smtp_mail with the following rules:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
Source: habr.com